dridex | 7126dd06985d20a9411b370715973a5eda642003567fe11aed9848cd25cea415

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d69063a86c406e82e46e5747e5ef8794_JaffaCakes118.dll
Size

1.2MB
MD5

d69063a86c406e82e46e5747e5ef8794
SHA1

55511b528dd91aa2b5fc7cd24916103a9ad24a5f
SHA256

7126dd06985d20a9411b370715973a5eda642003567fe11aed9848cd25cea415
SHA512

1b9a3def2cb145cc645828a7880b76781c25bf8ef8bf66f0c167fb9ccd924400a86b6cb2e51725b6d4297b75825291053d0e97edbc60d109b7d4f66681b881dd
SSDEEP

24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2796	wusa.exe
2636	Magnify.exe
1900	rstrui.exe

Loads dropped DLL 7 IoCs

pid	Process
1200	Process not Found
2796	wusa.exe
1200	Process not Found
2636	Magnify.exe
1200	Process not Found
1900	rstrui.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\0MlHjv\\Magnify.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2936	1200	Process not Found	31
PID 1200 wrote to memory of 2936	1200	Process not Found	31
PID 1200 wrote to memory of 2936	1200	Process not Found	31
PID 1200 wrote to memory of 2796	1200	Process not Found	32
PID 1200 wrote to memory of 2796	1200	Process not Found	32
PID 1200 wrote to memory of 2796	1200	Process not Found	32
PID 1200 wrote to memory of 2580	1200	Process not Found	33
PID 1200 wrote to memory of 2580	1200	Process not Found	33
PID 1200 wrote to memory of 2580	1200	Process not Found	33
PID 1200 wrote to memory of 2636	1200	Process not Found	34
PID 1200 wrote to memory of 2636	1200	Process not Found	34
PID 1200 wrote to memory of 2636	1200	Process not Found	34
PID 1200 wrote to memory of 2816	1200	Process not Found	35
PID 1200 wrote to memory of 2816	1200	Process not Found	35
PID 1200 wrote to memory of 2816	1200	Process not Found	35
PID 1200 wrote to memory of 1900	1200	Process not Found	36
PID 1200 wrote to memory of 1900	1200	Process not Found	36
PID 1200 wrote to memory of 1900	1200	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d69063a86c406e82e46e5747e5ef8794_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\qgC\wusa.exe
C:\Users\Admin\AppData\Local\qgC\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:2580

C:\Users\Admin\AppData\Local\HL9JE\Magnify.exe
C:\Users\Admin\AppData\Local\HL9JE\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2816

C:\Users\Admin\AppData\Local\jLU\rstrui.exe
C:\Users\Admin\AppData\Local\jLU\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HL9JE\MAGNIFICATION.dll

Filesize
1.2MB

MD5
13b1f8042a05894dafc356a3591af6d1

SHA1
96dbec1a0ba503186dc70a2b01a5b74f08b7c30c

SHA256
58672d954e934db00d3471f1524c521c80be866c19838e89a12745a21d8e4b12

SHA512
b8939ba100cc157b1f8225168c9137e6481004135e519575f0c5b9d68ecba8d483a0ad3d720ac2660bcc93ff29ea2d4e1f0bc7d4eb203ae7dd2aba6373039984

Download Submit
C:\Users\Admin\AppData\Local\jLU\SPP.dll

Filesize
1.2MB

MD5
ec958478a718b4bb5212c65d1ed95130

SHA1
ec4fa40bf79a597f125e4c7330b7b695c1972572

SHA256
0306281208da7a3d71efbb12932bd39c09a1dbd793b32fe9c9e637107dcbdb2d

SHA512
4fb021b3a99c9c63f643990a6b76bc741439f23e8e25c96c58ed1f0ac82a54ed7a2665327849d8aee03fcad03b874cccb48f15ea8aa0510d8e53433fde22d4f7

Download Submit
C:\Users\Admin\AppData\Local\qgC\dpx.dll

Filesize
1.2MB

MD5
e84d9df7f78a07817effbb58c161a108

SHA1
d07f6892ff725251065570f7cadbc6817486a82c

SHA256
055523c0b265f614db08989043b369071d5e2481f30a859711925a84f6038129

SHA512
1d4f474bcd092739258eaf078e890e81adc1472d80a56b71140503656c67a5c62f2dbfdeb56167090dc877b841481357755cdf902c60d4a03ba3ec403c668aee

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
3f03a58d43b75b3f408136a7902fa02e

SHA1
c0f7baa2d7b5b6b712efca59bf26ed3def19b454

SHA256
24cdb1a6810f899135d63f7c03dfd95b18eca120e7287e150c81095909ac7145

SHA512
01eeaa3c235e4be8d83b33e0520a000853e8d30d39e048429a6f3bb6be2b013041b2aac26a6f09fead1e5c5d02231341ee0fcd58ce173b1e8fe418bd2cd0a916

Download Submit
\Users\Admin\AppData\Local\HL9JE\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
\Users\Admin\AppData\Local\jLU\rstrui.exe

Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
\Users\Admin\AppData\Local\qgC\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
memory/1200-27-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1200-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-4-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1200-26-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1200-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1200-46-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/1200-17-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1900-90-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1900-96-0x000007FEF5C90000-0x000007FEF5DC1000-memory.dmp

Filesize
1.2MB

Download
memory/2600-45-0x000007FEF5CA0000-0x000007FEF5DD0000-memory.dmp

Filesize
1.2MB

Download
memory/2600-0-0x0000000001E00000-0x0000000001E07000-memory.dmp

Filesize
28KB

Download
memory/2600-1-0x000007FEF5CA0000-0x000007FEF5DD0000-memory.dmp

Filesize
1.2MB

Download
memory/2636-75-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/2636-72-0x000007FEF5C90000-0x000007FEF5DC1000-memory.dmp

Filesize
1.2MB

Download
memory/2636-78-0x000007FEF5C90000-0x000007FEF5DC1000-memory.dmp

Filesize
1.2MB

Download
memory/2796-60-0x000007FEF6C00000-0x000007FEF6D31000-memory.dmp

Filesize
1.2MB

Download
memory/2796-54-0x000007FEF6C00000-0x000007FEF6D31000-memory.dmp

Filesize
1.2MB

Download
memory/2796-57-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download